Xcitium is an Endpoint Detection and Response (EDR) vendor that sells client software that uses multiple methods to protect endpoints. Methods include anti-virus, a host firewall, a Host Intrusion Protection System (HIPS), and a technique it calls ZeroDwell Containment.
The first three components are straightforward. The AV software relies on signatures to detect known malware. The firewall can block inbound and outbound connections based on administrator-defined policies. The HIPS component lets administrators create rules around what applications and file paths are allowed to run on the machine.
It’s the ZeroDwell Containment that caught my eye when I was briefed by Xcitium at a NetEvents media summit in February 2023. ZeroDwell Containment looks to protect hosts from unknown malware and zero-days for which signatures haven’t been developed.
At a high level it works like this: If an unknown file or executable requests runtime privileges on an endpoint, the Xcitium agent introduces a virtualization layer between the unknown software and the host’s file system, kernel, registry, COM interface, and other components.
“We intercept kernel calls using filter drivers and redirect those calls to a virtualization layer to mimic the intended object or service,” said Tim Bandos, Xcitium’s Executive VP of SOC Services, in an interview. “So instead of providing the actual resource, we provide a virtualization layer to prevent damage.”
Meanwhile, the Xcitium agent sends a copy of the unknown program to Xcitium’s cloud service for a more detailed analysis. If the analysis comes back clean, the file or executable is released from the virtualized layer and allowed to run. If it comes back unclean, it gets removed from the host.
Sounds Familiar
This virtualization element reminded me of a similar approach developed by a startup called Bromium. Bromium’s client software launches micro-VMs for processes that run on an endpoint to contain malicious activity.
If I recall correctly, one major downside of Bromium’s approach was that hosting multiple micro-VMs on a PC or laptop could become quite resource-intensive, degrading the performance of the host. To my knowledge, Bromium hasn’t made a significant dent in the endpoint security space. The company was acquired by HP in 2019, and is now called HP Wolf Security.
Bandos says Xcitium gets around the resource consumption problem in a couple of ways. First, it only relies on the ZeroDwell Containment feature for unknown files and executables. “If it’s an executable we’ve never seen before, and there’s no threat intelligence on it, that gets sent to the virtualization layer. If it’s a known good binary, we trust it. If there’s no static indicators of malware, we let it run.”
Second, ZeroDwell Containment is “our last line of defense. We have AV with known signatures to block and tackle up front.”
Finally he claims the virtualization process itself only consumes a tiny amount of memory and CPU–a claim you’d expect the company to make, and one that potential customers should test.
One potential issue with ZeroDwell Containment is that it relies on cloud-based analysis. If the endpoint isn’t connected to the Internet, that virtualized layer has to run and hold the unknown software until cloud analysis becomes available.
“If an endpoint is disconnected from the cloud, we keep the malware in the container,” said Bandos. “The end user can still interact with the device or application, but we don’t allow it access to data or memory. It remains segregated until we can look it up.”
Drew’s View
Endpoint protection is a tough game. PCs and laptops need to connect to all kinds of networks and work with hundreds and hundreds of applications. They run buggy OS and app software, they might not get patched very often, and they tend to be operated by folks who will click on anything and get impatient if security software hampers productivity.
In this environment, it seems nearly impossible for a software security agent to perform reliably and consistently. But endpoint vendors keep trying and customers keep buying. I’m intrigued by the notion of adding virtualization to the mix, but there are no magic solutions. Like all endpoint offerings, I expect that Xcitium is going to win some and lose some. The hope is that the virtualization option can help deliver an acceptable win/loss ratio.
